Setup Co-Management Cloud DP Azure Blob Storage

Co-Management Cloud DP

A Cloud-based Distribution Point (CDP) is an SCCM DP that is hosted in Microsoft Azure. The application packages will be stored in Azure Blob storage. And it is a PaaS (Platform As A Service) solution from Microsoft SCCM. Security Patching of Azure PaaS solution servers is Microsoft’s responsibility. In this post, we will see how to setup co-management cloud DP.

Co-Management Related Posts

Overview Windows 10 Co-Management with Intune and SCCM
Custom Report to Identify Machines Connected via SCCM CMG
How to Setup Co-Management - Introduction - Prerequisites
How to Setup Co-Management - Firewall Ports Proxy Requirements
Setup Co-Management AAD Connect UPN Suffix
Setup Co-Management CA PKI Certificates 
Setup Co-Management Cloud DP Azure Blob Storage (This post)

Content of this Post

Video Tutorial to Setup Co-Management Cloud DP
Co-Management Cloud DP Requirement
How to Configure Cloud DP
How to Test Cloud DP Functionality
Azure Blob Storage Cloud DP

Video Tutorial to Setup Co-Management Cloud DP

Co-Management Cloud DP Requirement

Cloud DP (CDP) is not a prerequisite for SCCM Co-Management. However,  Cloud DP (CDP) is required for the scenario where you want to install SCCM client from the internet. SCCM Cloud Management Gateway (CMG) & CDP are necessary for the situation mentioned above.

Azure Subscription and access rights are required to provision Cloud DP server and storage in Azure PaaS. SCCM will automatically perform the provisioning of cloud DP for you. You can confirm the details of configurations in SCCM console wizard.

There is no option to have ARM-based CDP for SCCM 1802 or previous versions. Hence, we need to provision CDP via classic model with a self signed authentication certificate. This cert is required for completing the Cloud DP wizard from SCCM CB console. I would recommend reading the previous post Setup Co-Management CA PKI Certificates to have more details.

A service certificate (PKI) or Public Cert is required that is used by SCCM clients to connect to CDP and download content from them by using HTTPS.

A device or user must have Allow Access to cloud distribution points set to Yes in the client setting of Cloud Services before a device or user can access content from a cloud-based distribution point. By default, this value is set to No.

A client must be able to access the Internet to use the cloud-based distribution point.

A client must be able to resolve the name of the cloud service, which requires a Domain Name System (DNS) alias and a CNAME record in your DNS namespace.

TIP:- For SCCM LAB use the host file for name resolution. And following is the sample entry which I used in the host file

I would recommend reading documentation on CDP prerequisites before proceeding further.

How to Configure Cloud DP

Once you have Azure subscription ID, Certs, and appropriate access to subscription, then you can start the Cloud DP installation wizard from SCCM console. Co-management Cloud DP installation is straightforward once you have the requirements ready.

Navigate via SCCM console \Administration\Overview\Cloud Services\Cloud Distribution Points. Click on ribbon icon “Create Cloud Distribution Point” to kick-start the CDP installation wizard. Go through the wizard as I have shown in the video tutorial.

How to Test Cloud DP Functionality

We can confirm the functionality of cloud DP without distributing any packages manually. There are two (2) default packages get automatically distributed to CDP.

Configuration Manager Client Package 224.74 MB
Configuration Manager Client Piloting Package 224.74 MB

You can check the status of these package distribution from SCCM console “\Monitoring\ Overview\Distribution Status\Content Status\Configuration Manager Client Package”.

You can also look at the log files to get more details about the Cloud DP provisioning process and communication.

and PkgXferMgr.log
***Start of trace dump from WADLogsTable, storage account = 5351e58bec6d46e3b148ve2d. (query for entries between [01/01/1601 00:00:00] and [04/12/2018 13:54:57] $$<C:\Program Files\Microsoft Configuration Manager\bin\x64\smsexec.exe><04-12-2018 13:59:59.255381-00><thread=33 (2508)>
UpdateTraceSwitchValues - Trace switch values set: TraceLevel =Information $$<ContentService_IN_0 9a7fed20432c44879cd210acc451b21b><04-12-2018 13:28:36.229625-00><thread=2904 (1784)>
Starting...; TraceSource 'CloudDPService' event $$<ContentService_IN_0 9a7fdd20432b44879ed210acc451b21b><04-12-2018 13:28:36.229625-00><thread=2904 (1784)>
Exiting...; TraceSource 'CloudDPService' event $$<ContentService_IN_0 9a7fed20432c44879cd211acc451b21b><04-12-2018 13:49:26.136926-00><thread=2256 (1784)>

Azure Blob Storage Cloud DP

Deep Dive into Azure portal and check the blob storage for the content files. The cloud DP package content is stored in the blob storage. You don’t have to change anything in the permission level in the blog storage. But you can delegate Blob storage permissions to SCCM team if needed. But this permission setting is not part of SCCM RBAC. However, the permission delegation can be done via an Azure AD.

I would recommend reading the following document Install cloud-based distribution points in Microsoft Azure for SCCM.


Please enter your comment!
Please enter your name here